Page 1 of 1
new router attacks
Posted: Wed Jul 17, 2019 3:10 pm
by mmikeinsantarosa
I just saw
Brazil is at the forefront of a new type of router attack.
This time around, besides hijacking users visiting Brazilian banks, the hackers were also redirecting users to phishing pages for Netflix, Google, and PayPal, to collect their credentials, according to researchers at Ixia.
But according to a report published by Avast this week, these attacks haven't stopped. In fact, according to the company, in the first half of 2019, hackers have infected and modified the DNS settings of over 180,000 Brazilian routers.
fyi
Re: new router attacks
Posted: Wed Jul 17, 2019 4:03 pm
by rokytnji.1
That is rough.
In general, the exploit kit attempts to find the router IP on a network, and subsequently attempts to guess the password using various login credentials. Here is the list of the top used login credentials (username:password):
from:
https://decoded.avast.io/threatintel/ro ... in-brazil/
Username examples to avoid I guess
admin:admin
admin:
admin:12345
Admin:123456
admin:gvt12345
admin:password
admin:vivo12345
root:root
super:super
The password “gvt12345”, for example, suggests that hackers target users with routers from the former Brazilian internet service provider (ISP) GVT, which was acquired by Teleônica Brasil, and is the largest telecommunications company in the country. The password “vivo12345” is used on routers distributed by the ISP Vivo, which is also Telefônica Brasil brand.
Re: new router attacks
Posted: Wed Jul 17, 2019 4:30 pm
by KBD
Yes, change the default password on your router if you haven't already. Also run any firmware upgrade available on your router. My router is about a year and a half old and had a firmware upgrade last week that I ran.
Re: new router attacks
Posted: Wed Jul 17, 2019 4:50 pm
by Head_on_a_Stick
To protect against DNS hijacking in the router instruct NetworkManager to leave /etc/resolv.conf alone by creating a file at /etc/NetworkManager/conf.d/dns.conf with this content:
Then edit /etc/resolv.conf and populate it with a custom nameserver, I like Quad9:
Code: Select all
E485:~$ cat /etc/resolv.conf
nameserver 9.9.9.9
E485:~$
Other options are available:
https://en.wikipedia.org/wiki/Public_re ... _operators
Re: new router attacks
Posted: Thu Jul 18, 2019 11:00 am
by sg-1
The router password is very important to avoid unwanted attacks.
I want to inform you how to best protect the router from intrusions.
Password entropy is available to us, each character corresponds to a specific weight.
Only numbers 3.32
Numbers and characters 4.00
Lowercase characters 4.70
Numbers and uppercase characters 5.10
Upper and lower case characters 5.70
Lowercase and uppercase numbers and characters 5.90
Ascii Symbols 6.50
The password must have 64 bits of Entropy, equal to the sum of the character weight described above.
It is not appropriate to use only 19 ASCII characters to reach 65 bits of Entropy, but it is the set
which strengthens the password. A brute-force attack takes about 145 years to read the content.
A 56 bit password only 15 days.
Keepass helps you to create the necessary entropy.
Re: new router attacks
Posted: Thu Jul 18, 2019 12:45 pm
by ChrisUK
Further to @Head_on_a_Stick's post above...
If you're curious about what you're using for DNS, the following two commands will help:
or
Re: new router attacks
Posted: Thu Jul 18, 2019 1:37 pm
by mmikeinsantarosa
I have an AT&T DSL router/wifi that has a password I use to access the network. That's the only password for this device, correct?
Re: new router attacks
Posted: Thu Jul 18, 2019 2:11 pm
by jackdanielsesq
I keep getting these BTC demands for bogus lewd site visitations - perhaps if I pay them, they will go away?
Any ideas?
Jack
Re: new router attacks
Posted: Thu Jul 18, 2019 4:11 pm
by mx-2018
mmikeinsantarosa wrote: Thu Jul 18, 2019 1:37 pm
I have an AT&T DSL router/wifi that has a password I use to access the network. That's the only password for this device, correct?
There are two passwords:
1) one to get you connected to the router/network/internet
2) one to manage/configure your router
Re: new router attacks
Posted: Thu Jul 18, 2019 4:23 pm
by mmikeinsantarosa
mx-2018 wrote: Thu Jul 18, 2019 4:11 pm
mmikeinsantarosa wrote: Thu Jul 18, 2019 1:37 pm
I have an AT&T DSL router/wifi that has a password I use to access the network. That's the only password for this device, correct?
There are two passwords:
1) one to get you connected to the router/network/internet
2) one to manage/configure your router
Kind of what I thought and the other password is probably a default.
Probably something to look into...
Re: new router attacks
Posted: Thu Jul 18, 2019 5:05 pm
by j2mcgreg
jackdanielsesq wrote: Thu Jul 18, 2019 2:11 pm
I keep getting these BTC demands for bogus lewd site visitations - perhaps if I pay them, they will go away?
Any ideas?
Jack
Not likely. They may see you as an easy mark and keep coming back for more, or they may run your credit card up to it's limit, or both.